From 67d44e56bb92fc9b6a27d9b482b173fa0bcc8359 Mon Sep 17 00:00:00 2001 From: Matt Pass Date: Sat, 25 Apr 2015 11:53:53 +0100 Subject: [PATCH] Don't set cookie_path or use strict mode Using cookie_path on IE has an issue and causes session, then CSRF issues Stop using strict_mode as causes a problem on some setups Add notes to these and httponly re IE and PHP version --- lib/settings-common.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/settings-common.php b/lib/settings-common.php index 7c3131d..d77c019 100644 --- a/lib/settings-common.php +++ b/lib/settings-common.php @@ -22,13 +22,14 @@ if(!isset($_SESSION)) { ini_set('session.name','ICEcoder_Cookie'); // Set a seperate cookie session name ini_set('session.cookie_lifetime','0'); // Until the browser restarts by default ini_set('session.cookie_domain',''); // This domain only - ini_set('session.cookie_path',str_replace($_SERVER['DOCUMENT_ROOT'],'',dirname(dirname(__FILE__)))); // ICEcoder path only +// ini_set('session.cookie_path',str_replace($_SERVER['DOCUMENT_ROOT'],'',dirname(dirname(__FILE__)))); // ICEcoder path only, fails ON IE ini_set('session.use_trans_sid','0'); // Ensure this insecure feature is disabled ini_set('session.hash_function','sha512'); // Use Sha512 for session ini_set('session.hash_bits_per_character','6'); // Specify hash scheme of 0-9,a-v,A-Z,-,, - ini_set('session.use_strict_mode','1'); // Reject any session ID that was user provided and not generated by the session - ini_set('session.httponly','1'); // Only allow http protocol (ie, not JS) access to the cookie +// ini_set('session.use_strict_mode','1'); // Reject any session ID that was user provided and not generated by the session (since PHP 5.5.2) + ini_set('session.httponly','1'); // Only allow http protocol (ie, not JS) access to the cookie (since PHP 5.2.0) ini_set('session.save_path',dirname(__FILE__).'/../tmp'); // Localise the session files to /tmp + if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') { ini_set('session.cookie_secure','1'); // Only allows access to session ID when protocol is HTTPS, switched on under 'if https' condition }